The Hacker News — Cyber Security, Hacking, Technology News

SHA-1, Secure Hash Algorithm 1, a very popular cryptographic hashing function designed in 1995 by the NSA, is officially dead after a team of researchers from Google and the CWI Institute in Amsterdam announced today submitted the first ever successful SHA-1 collision attack.

SHA-1 was designed in 1995 by the National Security Agency (NSA) as a part of the Digital Signature Algorithm. Like other hashes, SHA-1 also converts any input message to a long string of numbers and letters that serve as a cryptographic fingerprint for that particular message.

Collision attacks appear when the same hash value (fingerprint) is produced for two different messages, which then can be exploited to forge digital signatures, allowing attackers to break communications encoded with SHA-1.

The explanation is technologically tricky, but you can think of it as attackers who surgically alters their fingerprints in order to match yours, and then uses that to unlock your smartphone.

The researchers have been warning about the lack of security of SHA1 from over a decade ago, but the hash function remains widely used.

In October 2015, a team of researchers headed by Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in the Netherlands had published a paper that outlined a practical approach to creating a SHA-1 collision attack – Freestart Collision.

At that time the experts estimated that the cost of an SHA-1 collision attack would cost between $75,000 and $120,000 using computing power from Amazon’s EC2 cloud over a period of a few months.

The Collision Attack 'SHAttered' the Internet

The Google approached the same group of researchers, worked with them and today published new research detailing a successful SHA1 collision attack, which they dubbed SHAttered and costs just $110,000 to carry out on Amazon's cloud computing platform.

As proof of concept, the new research presents two PDF files [PDF1, PDF2] that have the same SHA1 hash, but display totally different content.

According to researchers, the SHAttered attack is 100,000 faster than the brute force attack.

"This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations," the researcher explains.

"While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical."

90-days for Services to Migrate to Safer Cryptographic Hashes

Despite declared insecure by researchers over a decade ago and Microsoft in November 2013, announcing it would not accept SHA1 certificates after 2016, SHA1 has widely been used over the Internet.

So, it's high time to migrate to safer cryptographic hashes such as SHA-256 and SHA-3.

Google is planning to release the proof-of-concept (PoC) code in 90 days, which the company used for the collision attack, meaning anyone can create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions.

Therefore, an unknown number of widely used services that still rely on the insecure SHA1 algorithm have three months to replace it with the more secure one.

Meanwhile, Google and researchers have released a free detection tool that detects if files are part of a collision attack. You can find both the tool and much more information about the first collision attack at shattered.io.

Passwords are the first line of defense against cyber criminals. It is the most vital secret of every activity we do over the internet and also a final check to get into any of your user account, whether it is your bank account, email account, shopping cart account or any other account you have.

We all know storing passwords in clear text in your database is ridiculous. Many desktop applications and almost every web service including, blogs, forums eventually need to store a collection of user data and the passwords, that has to be stored using a hashing algorithm.

Cryptographic hash algorithms MD5, SHA1, SHA256, SHA512, SHA-3 are general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. Hashing is the greatest way for protecting passwords and considered to be pretty safe for ensuring the integrity of data or password.

The benefit of hashing is that if someone steals the database with hashed passwords, they only make off with the hashes and not the actual plaintext passwords. But why do we always hear about passwords being cracked? There are some weaknesses in cryptographic hash algorithm that allows an attacker to calculate the original value of a hashed password, as explained below:

PROBLEMS WITH CRYPTOGRAPHIC HASH ALGORITHM

Brute Force attack: Hashes can’t be reversed, so instead of reversing the hash of the password, an attacker can simply keep trying different inputs until he does not find the right now that generates the same hash value, called brute force attack.

General-purpose hash function designed for speed,because they are often used to calculate checksum values for large data sets and files, to check for data integrity. Using a modern computer one can crack a 16 Character Strong password in less than an hour, thanks to GPU.

Hash Collision attack: Hash functions have infinite input length and a predefined output length, so there is inevitably going to be the possibility of two different inputs that produce the same output hash. MD5, SHA1, SHA2 are vulnerable to Hash Collision Attack i.e. two input strings of a hash function that produce the same hash result.

Salting your password may foil dictionary attacks, but an attacker can still use a wordlist to crack the hashes. So, what exactly could be a good for securing your passwords with hashing?

BCrypt, IT's SLOW AND STRONG AS HELL

To overcome such issues, we need algorithms which can make the brute force attacks slower and minimize the impact. Such algorithms are PBKDF2 and BCrypt, both of these algorithms use a technique called Key Stretching.

Bcrypt is an adaptive hash function based on the Blowfish symmetric block cipher cryptographic algorithm and introduces a work factor (also known as security factor), which allows you to determine how expensive the hash function will be.

This work factor value determines how slow the hash function will be, means different work factor will generate different hash values in different time span, which makes it extremely resistant to brute force attacks.When computers become faster next year we can increase the work factor to balance it out i.e. to make the attack slower.

This hashing algorithm is implemented in a number programming languages like PHP, Java, Ruby, C#, C etc. If you are a PHP developer, you can simply use the crypt() function with a Blowfish required salt.

<?php

// Generate a password using a random salt

password_hash($password, PASSWORD_BCRYPT);

// Generate a password with a known salt

password_hash($password, PASSWORD_BCRYPT, array("salt" => $salt));

// This will cause crypt to generate a bcrypt hash

$salt = '$2y$10$' . mcrypt_create_iv(22);

$salted_password = crypt($password, $salt)

This method of hashing passwords is solid enough for most web applications that stores users’ passwords and other sensitive data.

The National Institute of Standards and Technology (NIST) had published a document on Jan 2011 that the SHA-1 algorithm will be risky and should be disallowed after year 2013, but it was recently noticed by Netcraft experts that NIST.gov website itself were using 2014 dated SSL certificate with SHA-1 hashes.

"From January 1, 2011 through December 31, 2013, the use of SHA-1 is deprecated for digital signature generation. The user must accept risk when SHA-1 is used, particularly when approaching the December 31, 2013 upper limit. SHA-1 shall not be used for digital signature generation after December 31, 2013." NIST in the document.

Digital signatures facilitate the safe exchange of electronic documents by providing a way to test both the authenticity and the integrity of information exchanged digitally. Authenticity means when you sign data with a digital signature, someone else can verify the signature, and can confirm that the data originated from you and was not altered after you signed it.

A digital certificate is essentially a bit of information that tells the Web server is trusted. Digital signatures are usually applied to hash values that represent larger data.

A Cryptographic hash function like MD5 and SHA-1 can transform input of an arbitrary length to an output of a certain number of bits, typically 128 or 160 bits. The output is called the hash value.

SHA-1 is a hashing algorithm that is currently enjoying widespread adoption. SHA-1 is a 160-bit hash functions, whose job is to ensure the integrity of a given piece of data. Different data yield unique hash values, and any change to a given piece of data will result in a different hash value. This was designed by the National Security Agency (NSA) to be a part of the Digital Signature Algorithm.

But in 2005, Cryptographic weaknesses were discovered in SHA-1. Hashes are designed to minimize the probability that two different pieces of data yield the same hash values, but yes, it is possible that two different data can have the same hash value, according to Cryptographic hash collisiontheory.

In February 2005, three female Chinese researchers - Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu have reduced the amount of time needed to find two documents with the same signature. Brute-force is the best way to find such collision points, where two messages can have the same hash value.

The Strength of digital signature is determined by the cryptographic key i.e. 160-bit for SHA-1. There are 2160 possible SHA-1 hash values and mathematical theory of Chinese researchers tell us that the chances that any two different pieces of data computing to the same value should be about 1 in 269, and the process is about 2,000 times faster than brute force.

At that time, it was predicted that practically doing so would take thousands of years, but today with modern cloud computing technology, such crypto attacks would cost only $700,000, which is an affordable project for well funded hacking group or Intelligence agencies like the NSA, GCHQ.

So it is potentially possible to exploit the SHA-1 crypto hash to spoof any digital signatures, and this is the reason that SHA-1 is being phased out of most governmental applications, and that NIST has recommended that SHA-1 not be used after 2013.

"An attacker able to find SHA-1 collisions could carefully construct a pair of certificates with colliding SHA-1 hashes: one a conventional certificate to be signed by a trusted CA, the other a sub-CA certificate able to be used to sign arbitrary SSL certificates. By substituting the signature of the CA-signed certificate into the sub-CA certificate, certificate chains containing the attacker-controlled sub-CA certificate will pass browser verification checks. This attack is, however, made more difficult by path constraints and the inclusion of unpredictable data in the certificate before signing it." Netcraft expert said.

For the use of digital signatures, we need the collision resistance property of the hash function. So, the latest Digital certificates of NIST are now verified by VeriSign, and using SHA-2 (SHA-256) with RSA in their certificates.

"In total, more than 98% of all SSL certificates in use on the Web are still using SHA-1 signatures. Netcraft's February 2014 SSL Survey found more than 256,000 of these certificates would otherwise be valid beyond the start of 2017 and, due to the planned deprecation of SHA-1, will need to be replaced before their natural expiry dates."

But not only NIST, other US government organizations are also using an outdated hashing algorithm, including Obamacare website healthcare.gov, donogc.navy.mil and several others.

However, in the same document, NIST also published a deadline of December 31, 2013 for switching over 1024 to 2048-bit certificate.

In February 2013, Symantec announced a multi-algorithm SSL certificates for Web servers that go beyond traditional crypto to include what’s known as the Elliptic Curve Cryptography (ECC) Digital Signature Algorithm (DSA).

ECC offers greater security as compared to other prevalent algorithms and 10,000 times harder to break than an RSA-bit key, i.e. Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate.